Главная страница


ru.linux

 
 - RU.LINUX ---------------------------------------------------------------------
 From : Andrey Ovchinnikov                   2:467/70.49    07 Jul 2004  00:53:44
 To : Eugene B. Berdnikov
 Subject : Re: чудеса с маскарадингом
 -------------------------------------------------------------------------------- 
 
 
 In junk Eugene B. Berdnikov <berd@desert.ihep.su> wrote:
 
 EBB>  Сначала - поискать опечатки в скрипте и привести выдачу iptables -t nat -L
 EBB>  до и после "ручной работы", а также содержимое /proc/net/ip_conntrack.
 
 Я понимаю, что чудес на свете не бывает, но ошибку пока найти не могу.
 Итак: 
 1. Скрипт собственно брандмауера
 ============ FIREWALL ===============
 #!/bin/bash
 # Internet Firewall start configuration
 # eth1 is connected to the Internet
 # eth0 is connected to a private subnet
 
 PRIVATE=192.168.2.0/24
 LOOP=127.0.0.1
 
 # Delete old iptables rules and temporary block all traffic
 iptables -P OUTPUT DROP
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -F
 iptables -F -t nat
 
 # Set default policies
 iptables -P OUTPUT ACCEPT
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 
 # Prevent external packets from using loopback addr
 iptables -A INPUT -i eth1 -s $LOOP -j DROP
 iptables -A FORWARD -i eth1 -s $LOOP -j DROP
 iptables -A INPUT -i eth1 -d $LOOP -j DROP
 iptables -A FORWARD -i eth1 -d $LOOP -j DROP
 
 # Anything coming from Internet should have a real Internet address
 iptables -A FORWARD -i eth1 -s 192.168.0.0/16 -j DROP
 iptables -A FORWARD -i eth1 -s 172.16.0.0/12 -j DROP
 iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -j DROP
 iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
 iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
 iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
 
 # Block outgoing NetBIOS
 iptables -A FORWARD -p tcp --sport 137:139 -o eth1 -j DROP
 iptables -A FORWARD -p udp --sport 137:139 -o eth1 -j DROP
 iptables -A OUTPUT -p tcp --sport 137:139 -o eth1 -j DROP
 iptables -A OUTPUT -p udp --sport 137:139 -o eth1 -j DROP
 
 # Check source address validity on packets going out to Internet
 iptables -A FORWARD -s ! $PRIVATE -i eth0 -j DROP
 
 # Allow local loopback
 iptables -A INPUT -s $LOOP -j ACCEPT
 iptables -A INPUT -d $LOOP -j ACCEPT
 
 # Allow incoming pings
 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
 # Allow services such as ssh, www etc.
 iptables -A INPUT -p tcp --dport ssh -j ACCEPT
 iptables -A INPUT -p tcp --sport 20 -j ACCEPT 
 
 # Allow incoming OpenVPN packets
 iptables -A INPUT -p udp --dport 5000 -j ACCEPT
 
 # Allow packets from TUN/TAP devices
 iptables -A INPUT -i tun+ -j ACCEPT
 iptables -A FORWARD -i tun+ -j ACCEPT
 iptables -A INPUT -i tap+ -j ACCEPT
 iptables -A FORWARD -i tap+ -j ACCEPT
 # Allow packets from private subnet
 iptables -A INPUT -i eth0 -j ACCEPT
 iptables -A FORWARD -i eth0 -j ACCEPT
 
 # Keep state of connections from local machine and private subnets
 iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Masquerade local subnet
 iptables -t nat -A POSTROUTING -s $PRIVATE -o eth1 -j MASQUERADE
 ==================================================================
 
 2. Результат команды iptables -L (маскарадинг не работает)
 
 Chain INPUT (policy DROP)
 target     prot opt source               destination         
 DROP       all  --  localhost            anywhere            
 DROP       all  --  anywhere             localhost           
 DROP       all  --  192.168.0.0/16       anywhere            
 DROP       all  --  172.16.0.0/12        anywhere            
 DROP       all  --  10.0.0.0/8           anywhere            
 ACCEPT     all  --  localhost            anywhere            
 ACCEPT     all  --  anywhere             localhost           
 ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
 ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
 ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data 
 ACCEPT     udp  --  anywhere             anywhere            udp dpt:5000 
 ACCEPT     all  --  anywhere             anywhere            
 ACCEPT     all  --  anywhere             anywhere            
 ACCEPT     all  --  anywhere             anywhere            
 ACCEPT     all  --  anywhere             anywhere            state
 RELATED,ESTABLISHED 
 
 Chain FORWARD (policy DROP)
 target     prot opt source               destination         
 DROP       all  --  localhost            anywhere            
 DROP       all  --  anywhere             localhost           
 DROP       all  --  192.168.0.0/16       anywhere            
 DROP       all  --  172.16.0.0/12        anywhere            
 DROP       all  --  10.0.0.0/8           anywhere            
 DROP       tcp  --  anywhere             anywhere            tcp
 spts:netbios-ns:netbios-ssn 
 DROP       udp  --  anywhere             anywhere            udp
 spts:netbios-ns:netbios-ssn 
 DROP       all  -- !192.168.2.0/24       anywhere            
 ACCEPT     all  --  anywhere             anywhere            
 ACCEPT     all  --  anywhere             anywhere            
 ACCEPT     all  --  anywhere             anywhere            
 ACCEPT     all  --  anywhere             anywhere            state NEW 
 ACCEPT     all  --  anywhere             anywhere            state
 RELATED,ESTABLISHED 
 
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 DROP       tcp  --  anywhere             anywhere            tcp
 spts:netbios-ns:netbios-ssn 
 DROP       udp  --  anywhere             anywhere            udp
 spts:netbios-ns:netbios-ssn 
 ACCEPT     all  --  anywhere             anywhere            state NEW 
 ================================================================
 3. Результат команды iptables -L -t nat (маскарадинг не работает)
 
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination         
 
 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination         
 MASQUERADE  all  --  192.168.2.0/24       anywhere            
 
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 ================================================================
 4. Содержимое ip_conntrak (маскарадинг не работает, конец файла)
 
 tcp      6 114 TIME_WAIT src=192.168.2.11 dst=192.168.2.1 sport=1037 dport=3128 
 src=192.168.2.1 dst=192.168.2.11 sport=3128 dport=1037 [ASSURED] use=1 
 tcp      6 112 TIME_WAIT src=192.168.2.11 dst=192.168.2.1 sport=1033 dport=3128 
 src=192.168.2.1 dst=192.168.2.11 sport=3128 dport=1033 [ASSURED] use=1 
 tcp      6 427031 ESTABLISHED src=192.168.2.1 dst=192.168.2.14 sport=3128
 dport=1714 [UNREPLIED] src=192.168.2.14 dst=192.168.2.1 sport=1714 dport=3128
 use=1 
 tcp      6 114 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41576 dport=80
 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41576 [ASSURED] use=1 
 tcp      6 119 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41587 dport=80
 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41587 [ASSURED] use=1 
 tcp      6 117 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41584 dport=80
 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41584 [ASSURED] use=1 
 tcp      6 115 TIME_WAIT src=80.140.225.9 dst=64.4.48.253 sport=41577 dport=80
 src=64.4.48.253 dst=80.140.225.9 sport=80 dport=41577 [ASSURED] use=1 
 ==================================================================
 
 5. Теперь делаю `iptables -F -t nat && iptables -t nat -A POSTROUTING
 -s 192.168.2.0/24 -j MASQUERADE` и все начинает работать. Пингую с
 клиентов несколько произвольных сайтов.
 
 ip_conntrak (концовка):
 
 tcp      6 114 TIME_WAIT src=192.168.2.14 dst=205.188.250.25 sport=1229 dport=80
 src=205.188.250.25 dst=80.140.225.9 sport=80 dport=1229 [ASSURED] use=1 
 tcp      6 102 TIME_WAIT src=192.168.2.14 dst=192.168.2.1 sport=1174 dport=3128 
 src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1174 [ASSURED] use=1 
 tcp      6 104 TIME_WAIT src=80.140.225.9 dst=64.12.163.136 sport=41618 dport=80
 src=64.12.163.136 dst=80.140.225.9 sport=80 dport=41618 [ASSURED] use=1 
 tcp      6 117 TIME_WAIT src=80.140.225.9 dst=205.188.165.185 sport=41661
 dport=80 src=205.188.165.185 dst=80.140.225.9 sport=80 dport=41661 [ASSURED]
 use=1 
 tcp      6 106 TIME_WAIT src=80.140.225.9 dst=64.12.163.136 sport=41626 dport=80
 src=64.12.163.136 dst=80.140.225.9 sport=80 dport=41626 [ASSURED] use=1 
 tcp      6 103 TIME_WAIT src=192.168.2.14 dst=192.168.2.1 sport=1179 dport=3128 
 src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1179 [ASSURED] use=1 
 tcp      6 112 TIME_WAIT src=80.140.225.9 dst=64.12.163.136 sport=41654 dport=80
 src=64.12.163.136 dst=80.140.225.9 sport=80 dport=41654 [ASSURED] use=1 
 tcp      6 109 TIME_WAIT src=192.168.2.14 dst=192.168.2.1 sport=1205 dport=3128 
 src=192.168.2.1 dst=192.168.2.14 sport=3128 dport=1205 [ASSURED] use=1 
 =======================================================================
 iptables -t nat -L:
 
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination         
 
 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination         
 MASQUERADE  all  --  192.168.2.0/24       anywhere            
 
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 =======================================================================
 
 Если нужны полные файлы, то напишите куда слать - вышлю. Буду ОЧЕHЬ
 рад любым выпрямлениям моих кривых рук ;-) 192.168.2.1 - адрес
 сервера.
 -- 
 powered by Saicat Linux 2:467/70.49
 --- tin/1.5.16-20030125 ("Bubbles") (UNIX) (Linux/2.4.26 (i686))
  * Origin: //Born to run Unix... (2:467/70.49)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

 Тема:    Автор:    Дата:  
 Re: чудеса с маскарадингом   Andrey Ovchinnikov   07 Jul 2004 00:53:44 
Архивное /ru.linux/35862c6ba29f9.html, оценка 3 из 5, голосов 10
Яндекс.Метрика
Valid HTML 4.01 Transitional